When Reverse Engineering of PCBs Becomes Reverse Analysis

A schematic does not have to be well-drawn to become net-listed and turned into a PCB layout, but turning a PCB layout back into a functionally informative schematic takes more effort.

There was a time when PCB layout designers worked from schematics that were usually drawn in a meaningful way so as to show circuit functionality and to be readable. For example, cross-page connects indicated by angled wires pointing to each other. (See Why I Prefer to Create My Own PCB Symbols.)

The PCB designers made the physical parts placement follow the schematics in a logical way; components that formed functional groupings tended to remain co-located and the schematics could usually be read and understood by others -- including those who later had to use those schematics to deduce circuit operation and perform troubleshooting and repair. Re-creating a schematic from such a PCB was fairly easy.

Then along came CAD/CAE. The art of schematic drawing became debased into an electronic Etch A Sketch capture tool, whose main purpose was to create a netlist so the PCB designer could use a "rat's nest" on-screen display to complete the planting of the copper traces. Any semblance of analog rules and communication between the design engineer and the PCB layout designer was lost in the digitized dumbing-down.

All too often, the components were simply thrown at the virtual board and a multi-layer autorouter did the work. The PCB designer never even looked at the schematics and -- in many cases -- could not have understood them anyway. The resulting PCBs no longer consisted of nicely grouped functional blocks of circuitry; components ended up helter-skelter wherever they were originally (and randomly) placed. So there really was no longer any incentive -- or time in the development schedule -- for the design engineer to make the additional effort to draw readable and meaningful schematics; nobody read them anyway.

I must admit that the first time I used CAD, I was rushed ("the schedule says this has gotta be done by next week!") and my schematic was atrocious. The CAD software was not user-friendly when it came to adding additional pages once a schematic had been started. Adding more and more functions as the design progressed, I had to snake wires around the periphery of the over-crowded drawings in a way that was totally incomprehensible to anyone reading the schematic. This didn't bother me too much at first -- I knew how the thing was supposed to work and the schematic did create the netlist, which was all the PCB layout designer required.

Even then, the layout designer did not place my components where I told him to, causing the "privy too close to the well" problem discussed here on EE Times recently. But six months later, while trying to decipher a signal path from that unholy schematic, I swore that I would never draw such a useless piece of garbage ever again.

Fast forward 30 years. Much of my effort is now spent studying and analyzing PCBs from defunct OEMs for which our sales people promise our customers "We can fix anything!" Never mind that we have never seen it before, have no clue what it is supposed to do, have no backplane to slide it into, have no user manuals, have no schematics, but -- absolutely yes -- we can repair it! (Also, pigs can fly; I saw it on a TV commercial for car insurance.)

So, I have to turn these PCBs back into schematics, and then make those schematics readable so as to build test fixtures, write circuit descriptions, and clearly indicate the circuit functions for our troubleshooting technicians. And yes, I have seen many a PCB that was very obviously created by "splashing components" onto the "canvas" (much as is done by some modern art painters in a questionable state of sobriety) and clicking the auto-route button.

How can this task be accomplished effectively? Two tools I have found to be indispensible are a decent low-delta-R-indication continuity tester for unambiguously sniffing out very low-resistance PCB nets (see the EDN Milliohm Squawker Design Idea) and a schematic capture package with drawing features that go far above and beyond the ability to simply create a netlist.

The schematic tool I use is freeware called TinyCAD (you can download it from SourceForge.net). While it is not perfect, it does have some very nice features that lend themselves to circuit analysis, along with basic schematic and mechanical drawing. Other drawing tools may be just as usable, but I have not studied them. The purpose of this column is to highlight the useful features of drawing software as applicable to reverse engineering. If you are aware of similar features in your own favorite drawing software, by all means comment on them below.

The first thing to realize is that a reverse engineering schematic is not intended to ever produce a netlist, so you can get away with all sorts of misdemeanors that make your drawings visually more appealing. While TinyCAD sports an extensive library of component symbols that have a very limited re-sizing option, depending on the PCB size you may prefer to construct your components as graphic objects instead of electronic components. The advantages of doing this are that the graphic objects can then be colored to represent top-side or bottom-side surface mount locations on the same drawing; also, they can be made extremely small so that the entire PCB can fit on a single drawing page.

@ antedeluvian Do you ever have a call to reverse engineer programmed logic

Only once, an FPGA was being discontinued but the supplier had a new replacement version in the same package, and also the tools to convert the old programming to the new device. It did not work, and because our employer had purchased the product line from an earlier defunct company we did not have any of the original design files.

My colleague knew how to convert the program files to a readable schematic (he was the digital half of our team), and i noted that the converted schematic had eliminated buffers in several circuits - the conversion tool thought we did not need multiple buffers in series. I took one look at the original schematic and realized the multiple buffers were being used as delay elements in ring oscillators; obviously when the conversion tool removed all that 'useless' delay the oscillators stopped working.

An over-ride to the default extraneous buffer removal option of the conversion tool solved the problem. I wrote about this in more detail in a Scope Junction blog, but...

I have done a little reverse engineering, and I must say I admire your systematic approach and obvious patience.

Do you ever have a call to reverse engineer programmed logic like PLDs and/or micros. If so how do you go about reversing that? I once had to reverse engineer an 8048 based paging system in order to add a few functions. It was pretty difficult even with an emulator, trying to find the hooks to add the additional code. These modifications happened quite often and finally the customer came up with the source code. That made my life much easier.

Which merged with Cadnetix to become Dazix - now there's a winner of a name for you - not! Max was there way back when.

Glen, I take it you don't often (ever?) have the PCB layout file to work with? If you did, you might have a reason to generate a netlist. Checking the schematic-generated netlist versus the layout-generated netlist would be one more layer of idiot-proofing. I do as much idiot-proofing as is practical because I'm usually the idiot!

I'm reminded of a Dilbert cartoon in which Dogbert tells a caller to his tech support center, "Yes, our software is idiot-proof. The fact that you bought it is proof you're an idiot!"